Follow:

 

Virus:Win32/Virut.BM


Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer.


What to do now

Manual removal is not recommended for this threat. Use the Microsoft Malicious Software Removal Tool, Microsoft Security Essentials, Microsoft Safety Scanner, or another up-to-date scanning and removal tool to detect and remove this threat and other unwanted software from your computer. For more information on Microsoft security products, see http://www.microsoft.com/protect/products/computer/default.mspx.
 
Note: The method of infection used by Win32/Virut can damage some infected files beyond repair. In these cases, in order to return a machine to its pre-infected state, it may be necessary to install a clean backup of the operating system and associated applications. 
Recovering from recurring infections on a network
The following additional steps may need to be taken to completely remove this threat from an infected network, and to stop infections from recurring from this and other similar types of network-spreading malware:
 
  1. Ensure that an antivirus product is installed on ALL machines connected to the network that can access or host shares  (see above for further detail).
  2. Ensure that all available network shares are scanned with an up-to-date antivirus product.
  3. Restrict permissions as appropriate for network shares on your network. For more information on simple access control, please see: [url]http://technet.microsoft.com/library/bb456977.aspx.
  4. Remove any unnecessary network shares or mapped drives.
 
Note: Additionally it may be necessary to temporarily change the permission on network shares to read-only until the disinfection process is complete.

Threat behavior

Virus:Win32/Virut.BM is a polymorphic file infector that targets .EXE and .SCR files. This virus also opens a backdoor by connecting to an IRC server, allowing a remote attacker to download and execute arbitrary files on the infected computer. It uses advanced techniques to hide infection.
Spreads Via…
Executable File Infection
Win32/Virut.BM disables Windows System File Protection (SFP) by injecting code into WINLOGON.EXE. The injected code patches sfc_os.dll in memory which in turn allows the virus to infect files protected by SFP.
 
The virus infects .EXE and .SCR files on access, hence actions such as copying or viewing files with Explorer, including on shares (with write access) will result in files being infected, and the virus spreading from machine to machine.
 
The virus injects its own code into a system process such as explorer.exe or winlogon.exe, and hooks low-level (NTDLL layer) Windows API calls  in order to stay in memory. It hooks the following functions in each running process (NTDLL.DLL):
 
NtCreateFile
NtOpenFile
NtCreateProcess
NtCreateProcessEx
 
Thus, every time an infected process calls one of these functions, execution control is passed to the virus.
 
HTML File Infection
It writes code to HTML files that adds a hidden IFrame pointing to the domain 'zief.pl'. When the HTML file is opened, the browser connects to this server without the user's knowledge. The HTML page hosted at this location attempts to exploit a number of different vulnerabilities (including those affecting the user's browser and other applications) in order to run a copy of the virus. These modified HTML files are detected as Virus:HTML/Virut.BH.
 
The virus also modifies the local machine's hosts file, redirecting the domain 'zief.pl' to localhost (127.0.0.1) so that already-infected machines will not run the remotely-hosted copy of the virus. 
Payload
Backdoor Functionality
Virut.BM connects to Internet Relay Channel (IRC) server 'irc.zief.pl' via port 80 using a particular channel. Should this fail, it instead attempts to connect to 'proxim.ircgalaxy.pl' also using port 80.
 
It contains functionality to download and execute arbitrary files on the affected system. This may include additional malware. The backdoor can also be used to change the host that it connects to for control.
Additional Information
Virut.BM creates the event 'Vx_5' to prevent multiple copies of itself from running simultaneously on the affected system. A minor variant may create another mutex "l0r5".
 
Analysis by Hamish O'Dea and Chun Feng

Symptoms

There are no common symptoms associated with this threat. Alert notifications from installed Antivirus software may be the only symptom(s).

Prevention


Alert level: Severe
First detected by definition: 1.51.303.0
Latest detected by definition: 1.163.1902.0 and higher
First detected on: Feb 05, 2009
This entry was first published on: Feb 06, 2009
This entry was updated on: Apr 17, 2011

This threat is also detected as:
  • Win32/Virut.NBK (ESET)
  • W32/Scribble-A (Sophos)
  • Virus:Win32/Sqraw.gen!A (Microsoft)